Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

The resource google_access_context_manager_service_perimeter_ingress_policy is declared as immutable: true in Magic Modules (ServicePerimeterIngressPolicy.yaml), which causes every field to be ForceNew. Any change — even adding a single project to ingress_from.sources.resource — triggers a destroy + create of the entire ingress policy.

This is disruptive in production VPC-SC perimeters because the destroy (PATCH removing the policy) and create (PATCH adding it back) are not atomic. During the gap, traffic matching that ingress rule is denied.

The Google API already supports in-place updates

The resource internally uses PATCH with updateMask=status.ingressPolicies for both create and delete operations. The same PATCH endpoint supports updating ingress policies in-place — the API does not require destroying and recreating them.

Evidence from the provider source code itself:

// Create uses PATCH
create_verb: 'PATCH'

// Delete uses PATCH
delete_verb: 'PATCH'

// Both use updateMask=status.ingressPolicies
url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": "status.ingressPolicies"})